A Lock on Data

Should it be cus­to­di­ans who holds con­trol over fi­nan­cial data, or clients them­selves?

Financial Planning - - Contents - BY BOB VERES

Should it be cus­to­di­ans who hold con­trol over fi­nan­cial data, or clients them­selves?

Who owns a client’s fi­nan­cial data?

This ques­tion came up at a roundtable I re­cently hosted and the sub­se­quent con­ver­sa­tion demon­strated that the an­swer may be more com­pli­cated than we re­al­ized.

On one hand, a grow­ing num­ber of ad­vi­sors and their ser­vice providers are en­hanc­ing their clients’ ex­pe­ri­ences by or­ga­niz­ing their fi­nances in on­line client vaults. At the same time, a coun­ter­vail­ing trend is in­creas­ingly mak­ing it harder to pop­u­late those vaults ac­cu­rately.

Con­sol­i­dated ac­count state­ments are one is­sue, said pan­elist Eric Clarke, CEO of as­set man­age­ment so­lu­tion provider Orion Ad­vi­sor Ser­vices. As­sets not di­rectly man­aged by the ad­vi­sor are in­cluded in per­for­mance re­ports, as­set al­lo­ca­tion soft­ware and client vaults, both as a con­ve­nience and as a way for the ad­vi­sor to see a client’s full fi­nan­cial pic­ture. This out­side ac­count data is most eas­ily gath­ered us­ing ac­count ag­gre­ga­tion soft­ware like Byal­lac­counts, Yodlee and Quovo.

The most log­i­cal way to have these pro­grams pull in in­for­ma­tion from out­side bro­ker­age ac­counts, 401(k) plans, bank ac­counts and credit card sites is for the ad­vi­sor to col­lect ev­ery client’s user name and pass­word for each client ac­count, enter it into the soft­ware and in­struct it to pull in the lat­est data ev­ery day, week or month. But if the ad­vi­sor has ac­cess to those user names and pass­words, that might be con­sid­ered hav­ing cus­tody of the clients’ ac­counts and might trig­ger the dreaded cus­tody au­dit.

In­stead, the ad­vi­sory firm will have each client go into a room with a com­puter hooked up to the ac­count ag­gre­ga­tion en­gine, and the client will in­put user names and pass­words in pri­vacy. The soft­ware would store these keys to the data and pull the in­forma- tion with­out giv­ing cus­tody to the ad­vi­sor.

In the­ory, this is great. But any­body who uses ag­gre­ga­tion pro­grams knows they quickly be­come an in­fer­nal headache. Some fi­nan­cial in­sti­tu­tions re­quire cus­tomers to change pass­words pe­ri­od­i­cally, cut­ting off the ag­gre­ga­tion soft­ware’s ac­cess to ac­count data un­til the client comes in and en­ters the new pass­word. Or clients may change pass­words with­out no­ti­fy­ing the firm, block­ing ac­cess to data.

In this era of in­creased hack­ing ac­tiv­ity and cy­ber­se­cu­rity aware­ness, con­sumers are be­ing told (I think rea­son­ably) to re­quest two-fac­tor au­then­ti­ca­tion pro­to­cols on all their fi­nan­cial ac­counts. That way, if a hacker were to get hold of a client’s user name and pass­word, and try to wire money else­where, the fi­nan­cial in­sti­tu­tion would text-mes­sage a code to the cus­tomer’s cell phone. Did you autho­rize this trans­ac­tion? If the scam­mer doesn’t have the cus­tomer’s phone in hand, the scheme is stymied.

But two-fac­tor au­then­ti­ca­tion also makes it im­pos­si­ble for ag­gre­ga­tion soft­ware to gather ac­count and per­for­mance in­for­ma­tion for the client’s con­sol­i­dated state-

The Af­ford­able Care Act man­dated that pa­tients have the right to their own records. Why should fi­nan­cial ser­vices be any dif­fer­ent?

ments. In­creas­ingly, as clients and in­sti­tu­tions ramp up their cy­ber­se­cu­rity pro­tec­tions, con­sol­i­dated re­port­ing be­comes less and less fea­si­ble.

The roundtable par­tic­i­pants then took up the ques­tion of who owns the client data? The con­sen­sus was that the ac­count in­for­ma­tion was — tech­no­log­i­cally, at least — the prop­erty of the cus­to­dian. Credit card ac­tiv­ity in­for­ma­tion is prop­erty of the credit card com­pany, bank­ing records is prop­erty of the bank and so forth. In a world where the data doesn’t ex­ist un­less you can ac­cess it, and where in­sti­tu­tions con­trol the ac­cess, de facto con­trol be­longs to the ser­vice providers, not the end client.

Joel Bruck­en­stein, the tech guru who helped fa­cil­i­tate this dis­cus­sion at the T3 En­ter­prise con­fer­ence, sug­gested a new kind of en­tity in the fi­nan­cial ser­vices world: a cen­tral­ized client data repos­i­tory. As he brain­stormed with the panel, we even­tu­ally re­al­ized that clients could ac­tu­ally own their own data if some­body would build this repos­i­tory and over­lay it on the fi­nan­cial ser­vices world.

How would it work? Clients would give ac­cess to the repos­i­tory the way they now do to an ac­count ag­gre­ga­tion en­gine, and the repos­i­tory would be­come the en­tity that they log into, which would avoid the has­sle of chang­ing pass­words and two-fac­tor au­then­ti­ca­tion. Two-fac­tor au­then­ti­ca­tion would give them straight-through ac­cess to each credit card, bank or bro­ker­age ac­count. The data now be­ing col­lected by the ac­count ag­gre­ga­tion en­gines would be col­lected and con­sol­i­dated at the repos­i­tory.

Then, if clients wanted their ad­vi­sor to cre­ate a client portal that or­ga­nized their fi­nan­cial lives, the ad­vi­sor could set up an ac­count in emoney, Box or Ever­plans, and the clients could specif­i­cally give the repos­i­tory per­mis­sion to send some or all of their fi­nan­cial data, nightly, to their client portal. Ev­ery portal and all the var­i­ous as­set man­age­ment, CRM and fi­nan­cial plan­ning en­gines would plug into one data source, one pro­to­col, one API — and each client would have com­plete con­trol of where the data does and doesn’t go.

This puts a lot of trust in one or­ga­ni­za­tion, which might have to be a non­profit, and which would be reg­u­lated much like a cus­to­dian. Bruck­en­stein pointed out that, 10 or 15 years ago, if you were to ask your doc­tor for your med­i­cal records, the doc­tor (or hospi­tal) would rou­tinely tell you that you weren’t en­ti­tled to them. They owned the data. When the Af­ford­able Care Act came along, it clar­i­fied that pa­tients do in­deed have the right to their own records and man­dated that doc­tors and hos­pi­tals have com­put­er­ized sys­tems that would al­low them to quickly re­trieve and eas­ily share this in­for­ma­tion with pa­tients and other pro­fes­sion­als.

Why should fi­nan­cial ser­vices be any dif­fer­ent, Bruck­en­stein asked.

Is there any way ad­vi­sors can bring clients into this repos­i­tory world to­day? Eric Wulff of Au­rum Wealth Man­age­ment Group in Cleve­land and Akron, Ohio, said his firm built trust with new clients by telling them, up­front, that they own the data that is col­lected in the nor­mal course of the plan­ning process.

To back this up, Wulff tells clients that, should they de­cide to leave his prac­tice, he’ll port all their data to a box.com on­line fil­ing ac­count — in­clud­ing per­for­mance his­tory, fi­nan­cial plan and client will, trust and other doc­u­ments. That way, clients know their data is go­ing to be safe and avail­able, just as with the med­i­cal records.

By the end of the roundtable, we thought that, ide­ally, some­day ev­ery ad­vi­sor would set up a box.com ac­count in each client’s name, owned by the client, es­tab­lish­ing this shar­ing of data as a pro­fes­sional norm. (Note: I do not have a busi­ness re­la­tion­ship with box.com).

That may not be a per­fect so­lu­tion, but for now it may be the best one we have avail­able.

In a world where data doesn’t ex­ist un­less you can ac­cess it, con­trol be­longs to the ser­vice provider.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.